分类

学习笔记 [17]
渗透测试 [4]
一些杂文 [14]
coding [16]
漏洞信息 [17]
技术文章 [15]
开发文档 [8]
个人作品 [5]
PS:个人作品在各种下载栏目均有下载

站内搜索

日历

«  January 2011  »
Su Mo Tu We Th Fr Sa
      1
2345678
9101112131415
16171819202122
23242526272829
3031

友情链接

  • 莫良博客
  • 冷夜博客
  • 八神博客
  • Tm3yShell7
  • 2idy电影网
  • Blueandhack's Blog
  • 幻泉博客
  • 羽蛇
  • Elaf
  • 小冰's Blog

    • 访问统计(起于2010/10/2)

    访问统计
    PortWatcher's Blog
    Monday, 2025-06-30, 4:11 AM
    Welcome Guest
    Main | Registration | Login | RSS

    Blog

    Main » 2011 » January » 17 » 读取输入表
    9:38 PM
    读取输入表
    转自CSDN

    为了更直观的了解输入表结构,请看下面来在《加密与解密》第三版中的图示:

    Code

    /*本程序旨在说明如何阅读IMAGE_IMPORT_DESCRIPTOR(IID)输入表结构*/  
    #include <windows.h>  
    #include <stdio.h>  
    //ImageDirectoryEntryToData  
    //微软的ImageHlp库中提供了大量有关对PE操作得到API  
    #include <imagehlp.h>  
    #pragma comment(lib,"imagehlp.lib")  
    /************************************************************************  
    概念:  
    1.输入表(IID):  
    数据目录第二个成员指向输入表,是一个以IMAGE_IMPORT_DESCRIPTOR(IID)结构开  
    始,以一个空的IMAGE_IMPORT_DESCRIPTOR结构结束;每一个隐式链接进来的dll都  
    有一个IID  
    2.输入名称表(INT)  
    由IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk指明其RVA,INT是一个  
    IMAGE_THUNK_DATA结构数组,并以一个内容为0的元素结束数组中每一个元素指向一个  
    IMAGE_IMPORT_BY_NAME结构  
    3.输入地址表(IAT)  
    由IMAGE_IMPORT_DESCRIPTOR.FirstThunk指明其RVA;与INT非常相似,同样是一个  
    IMAGE_THUNK_DATA结构数组;只是在pe加载时其中内容被填充为导入函数真正的地址  
    ************************************************************************/  
    /************************************************************************/  
    /* 读取输入表,输出到文件 */  
    /************************************************************************/  
    BOOL ReadImportTable(HMODULE hInstance,PIMAGE_IMPORT_DESCRIPTOR pImportDesc)  
    {  
      PBYTE pImageBase=(PBYTE)hInstance;  
      FILE* pfile=fopen("ImportTable.log","w");  
      if (!pfile)  
      {  
      MessageBox(NULL,"Open or Create ImportTable.log Failed!","ERROR",MB_ICONWARNING);  
      return FALSE;  
      }  
       
      /*  
      引入表实际上是一个IMAGE_IMPORT_DESCRIPTOR结构数组。  
      每个结构包含PE文件引入函数的一个相关DLL的信息。  
      该数组以一个全0的成员结尾.  
      */  
      while(pImportDesc->FirstThunk!=NULL)  
      {  
      /*获取DLL名称*/  
      DWORD dllNameRVA=pImportDesc->Name;  
      PCHAR dllName=(PCHAR)(pImageBase+dllNameRVA);  
      fprintf(pfile,"\nImport DLL:%s>>>>>>>>>>>>>>>\n",dllName);  
      /*获得IMAGE_THUNK_DATA数组*/  
      //FirstThunk 与 OriginalFirstThunk 非常相似  
      //FirstThunk里面的地址在运行时会填入导入函数的实际地址  
      //而不再是IMAGE_IMPORT_BY_NAME结构的地址  
      DWORD OFthunkDataRVA=pImportDesc->OriginalFirstThunk;  
      PIMAGE_THUNK_DATA pOFthunkData=(PIMAGE_THUNK_DATA)(pImageBase+OFthunkDataRVA);  
      DWORD FthunkDataRVA=pImportDesc->FirstThunk;  
      PIMAGE_THUNK_DATA pFthunkData=(PIMAGE_THUNK_DATA)(pImageBase+FthunkDataRVA);  
      /*遍历IMAGE_THUNK_DATA数组,获取导入函数名称/地址(INT/IAT)*/  
      while(pOFthunkData->u1.AddressOfData!=NULL&&  
      pFthunkData->u1.AddressOfData!=NULL)  
      {  
      //VC6.0和VS2008对于u1.AddressOfData定义不相同,  
      //但本质是相同的,都是四个字节大小,都保存的是RVA  
      //VS2008:DWORD AddressOfData;  
      //VC6.0: PIMAGE_IMPORT_BY_NAME AddressOfData;  
      /*获取导入函数名*/  
      //DWORD ImportByNameRVA=pthunkData->u1.AddressOfData;  
      DWORD ImportByNameRVA=(DWORD)pOFthunkData->u1.AddressOfData;  
      PIMAGE_IMPORT_BY_NAME pImportByName=(PIMAGE_IMPORT_BY_NAME)(pImageBase+ImportByNameRVA);  
      PCHAR funcName=(PCHAR)pImportByName->Name;  
      fprintf(pfile,"Import Func:%s\t",funcName);  
      /*获取导入函数地址*/  
      fprintf(pfile,"@0x%08x -> 0x%08x\n",(DWORD)pFthunkData,*(PDWORD)pFthunkData);  
       
      pFthunkData++;  
      pOFthunkData++;  
      }  
      pImportDesc++;  
      }  
       
      fclose(pfile);  
      return TRUE;  
    }  
    /************************************************************************/  
    /* 获得输入表(IID)的两种方法 */  
    /************************************************************************/  
    //方法1:通过ImageDirectoryEntryToData获得IID  
    //ImageDirectoryEntryToData可以获得可选文件头中的所有数据目录,根据第三个参数  
    PIMAGE_IMPORT_DESCRIPTOR GetIATMethod1(HMODULE hInstance)  
    {  
      PIMAGE_IMPORT_DESCRIPTOR pImportDesc ;  
      ULONG uSize ;  
      pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,  
      TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&uSize) ;  
      return pImportDesc;  
    }  
    //方法2:通过自己定位可选文件头获得IID  
    PIMAGE_IMPORT_DESCRIPTOR GetIATMethod2(HMODULE hInstance)  
    {  
      PBYTE pImageBase=(PBYTE)hInstance;  
      /*获得DOS文件头*/  
      PIMAGE_DOS_HEADER pDosHeader=(PIMAGE_DOS_HEADER)hInstance;  
      if(pDosHeader->e_magic!= IMAGE_DOS_SIGNATURE)  
      {  
      MessageBox(NULL,"DOS文件头有误!","ERROR",MB_ICONWARNING);  
      return NULL;  
      }  
      /*获得PE头*/  
      PIMAGE_NT_HEADERS pNTHeaders=(PIMAGE_NT_HEADERS)(pImageBase+pDosHeader->e_lfanew);  
      if(pNTHeaders->Signature != IMAGE_NT_SIGNATURE)  
      {  
      MessageBox(NULL,"无效的PE文件!","ERROR",MB_ICONWARNING);  
      return NULL;  
      }  
      /*根据PE头获得可选文件头*/  
      PIMAGE_OPTIONAL_HEADER pOptionalHeader=&pNTHeaders->OptionalHeader;  
       
      /*根据可选文件头获得IID*/  
      DWORD ImportTableRVA=pOptionalHeader->DataDirectory[1].VirtualAddress;  
      PIMAGE_IMPORT_DESCRIPTOR pImportDesc=(PIMAGE_IMPORT_DESCRIPTOR)(pImageBase+ImportTableRVA);  
      return pImportDesc;  
    }  
    int APIENTRY WinMain(HINSTANCE hInstance,  
      HINSTANCE hPrevInstance,  
      LPSTR lpCmdLine,  
      int nCmdShow)  
    {  
      // TODO: Place code here.  
       
      //hInstance其实就是指向PE在内存中的映像  
      //在程序任何位置都可以通过GetModuleHandle得到  
      //HMODULE hInstance =GetModuleHandle(NULL);  
       
      PIMAGE_IMPORT_DESCRIPTOR pImportDesc=NULL;  
      //方法1:通过ImageDirectoryEntryToData获得IAT  
      pImportDesc=GetIATMethod1(hInstance);  
      //方法2:通过自己定位可选文件头获得IAT  
      //pImportDesc=GetIATMethod2(hInstance);  
       
      if(!pImportDesc)  
      {  
      MessageBox(NULL,"GetIAT Failed!","ERROR",MB_ICONWARNING);  
      return 0;  
      }  
      if(!ReadImportTable(hInstance,pImportDesc))  
      {  
      MessageBox(NULL,"ReadImportTable Failed!","ERROR",MB_ICONWARNING);  
      return 0;  
      }  
       
      MessageBox(NULL,"ReadImportTable Succeed!","SUCCEED",MB_OK);  
       
      return 0;  
    }  
    Category: coding | Views: 947 | Added by: Jury | Rating: 0.0/0
    Total comments: 2
    2 accogesow  
    0
    After getting more than 10000 visitors/day to my website I thought your www.portwatcher.net website also need unstoppable flow of traffic...

    Use this BRAND NEW software and get all the traffic for your website you will ever need ...

    = = > > http://mass-autopilot-traffic.com

    In testing phase it generated 867,981 visitors and $540,340.

    Then another $86,299.13 in 90 days to be exact. That's $958.88 a
    day!!

    And all it took was 10 minutes to set up and run.

    But how does it work??

    You just configure the system, click the mouse button a few
    times, activate the software, copy and paste a few links and
    you're done!!

    Click the link BELOW as you're about to witness a software that
    could be a MAJOR turning point to your success.

    = = > > http://mass-autopilot-traffic.com

    1 RoxWaisaFax  
    0
    After getting more than 10000 visitors/day to my website I thought your www.portwatcher.net website also need unstoppable flow of traffic...

    Use this BRAND NEW software and get all the traffic for your website you will ever need ...

    = = > > http://auto-massive-traffic.net

    In testing phase it generated 867,981 visitors and $540,340.

    Then another $86,299.13 in 90 days to be exact. That's $958.88 a
    day!!

    And all it took was 10 minutes to set up and run.

    But how does it work??

    You just configure the system, click the mouse button a few
    times, activate the software, copy and paste a few links and
    you're done!!

    Click the link BELOW as you're about to witness a software that
    could be a MAJOR turning point to your success.

    = = > > http://auto-massive-traffic.net

    Name *:
    Email *:
    Code *:

    admin@portwatcher.net |